This is a writeup for a security problem in parse.com website. Parse.com is an acquisition of facebook and every security problem on this website is eligible for a bounty in the facebook bugbounty program.

There was a problem with the download URL for important information about the applications you manage on your account.

The proof of concept bellow was made on: Windows 7 Ultimate and was tested on IE, Chrome and Firefox.

Go to your parse.com account and try to download a file with important data:

After pressing the button from the image above, the following request is sent to the server:

The victim will download an html file that contains our malicious html+javascript payload. The payload above will copy all the text is after <h1 id=’test’>,will encode it on base64 and it will send to my controlled server.